Cyber Security

by

LAST MODIFIED: 11 January 2017

DOI: 10.1093/obo/9780199743292-0196

Introduction

The Internet has expanded rapidly since its commercialization in the mid-1990s. In the early 21st century, a third of the world’s population has access to the technology, with another 1.5 billion expected to gain access by 2020. Moreover, the “Internet of Things” will lead to an exponential number of devices being connected to the network. As a result, the economic and political incentives to exploit the network for malicious purposes have also increased, and cybersecurity has reached head-of-state-level attention. In parallel, publications on the topic by academic, policy, industry, and military institutions have multiplied. Scholars within the international relations (IR) discipline and its subfields of security studies and strategic studies increasingly focus on the technology’s implications on national and international security. This includes studying its effect on related concepts such as power, sovereignty, global governance, and securitization. Meanwhile, the meaning of cybersecurity and information security has been highly contested. Broad definitions of the concept incorporate a wide range of cyberthreats and cyberrisks, including cyberwarfare, cyberconflict, cyberterrorism, cybercrime, and cyberespionage as well as cybercontent, while narrower conceptualizations focus on the more technical aspects relating to network and computer security. This article focuses on cybersecurity in the IR context from the perspective of political conflict, including the scholarship on cyberwarfare, cyberconflict, and cyberterrorism. The literature on cybercrime deserves a stand-alone article, as does cyberespionage from the perspective of surveillance and intelligence activities. This article references only a few publications from the latter two categories as they relate to cyberconflict. While scholars take the technology’s implications for international security increasingly seriously, they continue to disagree about the level and nature of threat and the appropriate policy responses that governments and other stakeholders should adopt. States also have very different perspectives on cyberspace and its appropriate use, with an increasing number developing offensive cybercapabilities. Cybersecurity has become an integral part of governments’ national defense and foreign and security policies and doctrines, contributing to the construction of cybersecurity as a new domain of warfare. Efforts to develop rules of the road for cyberspace focus on the applicability of existing international law, potential gaps, the development of norms, confidence-building measures, and postulating deterrence postures. As a consequence, a cybersecurity regime complex has evolved, encompassing multiple regional and international institutions that play pivotal roles in shaping policy responses. This article offers a selective list of relevant literature. The coauthors would like to thank the experts in China, India, Russia, Switzerland, and the United States who responded to their request to share their top-ten most relevant cybersecurity publications. The coauthors incorporated this feedback in their process for developing this article to reduce bias and to include international perspectives on the most-relevant English-language literature.

General Overviews

Since 2007, a number of in-depth, book-length studies have been published that build on the largely conceptual and hypothetical literature of the 1990s on information security and its evolution and focus on cybersecurity. There had been a noteworthy gap and shift in the literature following the 9/11 terrorist attacks, until the high-profile cyberincidents toward the end of the first decade of the 21st century reignited interest and scholarship on cybersecurity. Singer and Friedman 2014 offers a highly accessible introduction to definitions, relevance, and policies of cybersecurity. Segal 2016 describes how the expansion of the Internet reshapes traditional forms and rules of international power struggles more broadly and ushers in a new era of geopolitics. The history of this development is the focus of a strategic dossier compiled by the London-based International Institute for Strategic Studies (Tikk-Ringas 2015), detailing the technology’s evolution and political implications starting with the 1950s. Healey 2013, a historical account of cyberconflict, argues that the first cyberincident occurred in 1986, and it deduces lessons from ten major incidents that followed thereafter for early-21st-century cybersecurity debates. The limitations and benefits of various historical analogies to other military domains for understanding and improving cybersecurity are discussed extensively in Goldman and Arquilla 2014. In-depth discussions of the implications of cybersecurity include Libicki 2007, with Kramer, et al. 2009 providing a strategic framework for US cybersecurity policymaking. Clark, et al. 2014 presents a comprehensive catalogue of relevant research and policy questions informed by the authors’ technical expertise.

Clark, David, Thomas Berson, and Herbert Lin, eds. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: National Academic Press, 2014.

Reviews key cybersecurity policy challenges from a technically informed perspective of three leading scholars at the nexus of information technology and policy. Fully readable and highly accessible online.

Edited volume sponsored by the US Cyber Command assessing the value of historical and cross-domain analogies, ranging from military surprise attacks and nuclear planning to economic warfare, air defense, and offense-defense balances. Fascinating testimony of how analysts and practitioners seek to understand and solve problems in a nascent, understudied area perceived as vitally important.

One of the first comprehensive historical accounts of cyberconflict, written from the practitioner’s perspective of a former member of the US Air Force. The edited volume includes systematic analyses of ten case studies of important cyberconflicts between 1986 and 2012.

This comprehensive edited volume develops conceptual policy recommendations for how the US government should strategically use cyberpower to enhance its national and security interests. Key compendium of US military, scholarly, and industry voices on a broad range of policy issues.

An early and important analysis of the prospects for information warfare. The author contends that threats to information systems, including in the areas of defense and command and control, are exaggerated, since control over these is difficult to sustain.

A nonalarmist account of how cyberconflict and competition evolve internationally, written by a China expert. Argues that cyberattacks pose less of a threat of bodily harm but more to infrastructures such as financial institutions, power grids, and security networks and that the post-pax digital Americana order will once again be dominated by geopolitical maneuvers.

Highly readable, informative, and accessible entry point, with its own website providing a detailed table of contents and discussion questions. Explores “How It All Works,” “Why It Matters,” and “What Can We Do?” Contends that transnational cyberthreats increasingly undermine the prospects for effective international cooperation, which requires building more-resilient systems.

This comprehensive historical analysis illustrates key developments and trends shaping cybersecurity since the inception of computer networking in the 1950s. Dedicates separate chapters to each decade as well as to the themes of Internet governance, normative approaches to cybersecurity, intelligence, and military affairs. Attaches appendixes on international instruments and standards.

Inaugurated in spring 2016, the Cyber Defense Review (CDR) is a quarterly published journal by the US Army Cyber Institute and US Marine Corps Forces Cyberspace Command (MARFORCYBER) that has set out to become a forum for military and civilian experts on cyber strategy, operations, tactics, history, law, and policy. Also features a useful blog.

Official journal of the International Information System Security Certification Consortium. Formerly known as Information Systems Security and tailored for cybersecurity practitioners, it focuses on cloud security and social engineering.

Managed by the London-based think tank Chatham House, the first two issues are scheduled for 2016. Aims at bridging the gap between policy and technology, with a focus on cybersecurity, safety, access, and privacy.

Launched in December 2015, this fully open-access journal focuses on publishing interdisciplinary work on computer, information, and systems security. It seeks to create a hub for the various disciplines within the broader cybersecurity community, also offering an online resource center that provides details on conferences and events, cybersecurity training and guidelines, and other background material.

Well-established journal on strategic studies that published several groundbreaking articles on the probability of cyberwar in 2012, which triggered vital debates and led to a cyber roundtable and a concomitant special issue in 2013 that remained a key reference point.

Forum for the academic and industry research-and-development community on cybersecurity, with an emphasis on cryptographic mechanisms applied to information and communication networks, and with a distinctly international editorial board.

Online Resources and Blogs

Cybersecurity is a young field of study that is evolving and changing quickly, in which research has proliferated dramatically across disciplines in the early 21st century. A set of academic, policy, and industry websites and blogs provide useful entry points to access sources and keep track of current debates. NATO’s public diplomacy division has established the most extensive multimedia online library available. Think tanks Council on Foreign Relations (CFR), Center for Strategic and International Studies, and New America offer a continually updated anthology of links to key sources (Research Links: Cybersecurity Policy, an interactive Cyber Incident Timeline, and a Global Cyber Definitions Database, respectively. The magazine Foreign Policy maintains a dynamic channel on technology and cyber (Tech & Cyber). Bruce Schneier’s blog (Schneier on Security) offers a critical voice on early-21st-century cybersecurity developments. The Congressional Research Service regularly publishes a compendium of authoritative reports and governmental documents (Tehan 2015). The International Organization for Standardization publishes standards on definitions and concepts (ISO/IEC 27000:2016).

An interactive timeline that records significant cyber events since 2006 and is updated regularly, focusing on cyberattacks on government agencies and defense and high-tech companies or on economic crimes with losses of more than a million dollars.

The first part of the ISO/IEC 27000 Information Security Management Systems standards by the International Organization for Standardization and the International Electrotechnical Commission. Provides a technically informed and continually updated introduction, including a glossary on information security. Indispensable supplement to social science and historical accounts.

Offers another useful gateway, listing links to news hubs; data, polls, and surveys; background and research guides; anthologies of key publications; US government and congressional reports and legislation; public-private partnerships; and international cooperation. Also links to CFR’s Net Politics Blog and other useful blogs, and industry data on threat developments.

Latest edition of the regularly published, comprehensive, and accessible compendium of pivotal reports and resources by the US Congressional Research Service. Highly useful overview of key US legislation, hearings, executive orders and presidential directives, data and statistics, cybersecurity glossaries, reports, and websites.

International-Relations Perspectives on Cybersecurity

Despite a growing consensus that cyberspace has significant implications for international relations (IR) in general and security in particular, existing scholarship has generated relatively few IR theory-oriented analyses on the topic so far, apart from early pioneers such as Deibert 2003. Manjikian 2010 assesses the potential of realist and liberal approaches and illustrates how these two approaches reveal the variation in Chinese, Russian, and US perceptions of the likelihood of conflict in cyberspace. In 2011, the International Studies Association—the discipline’s most prominent institutional body—made “Power, Politics, Participation in the Global Information Age” the main theme of its annual convention, whose key publications appeared in a special issue of International Studies Review (Singh and Simmons 2013). This publication illustrates the nascent scholarly debate on cybersecurity within mainstream IR. The author of Choucri 2012 was among those encouraging the broader IR community to further explore cybersecurity, which as she argued had become an integral part of national security. Both Junio 2013 and Kello 2013 contribute approaches to IR theory building from the perspectives of principal agent and international security studies. Floridi and Taddeo 2014 links the IR debate on ethics with discussions on cybersecurity and assesses the utility of the Just War theory for tackling ethical problems in cyberwarfare doctrines. Finally, Stevens 2016 adopts an eclectic IR approach of security studies, political theory, and social theory to explore how cyberspace has changed the meaning of time and temporality in political processes related to security.

Among the early works on IR and cyberspace. Argues that cybersecurity has become the fourth dimension of state security next to external, internal, and environmental security. Chapter 6 focuses on cyberconflicts and threats to security. For more details, see the Harvard-MIT Explorations in Cyber International Relations project.

Deibert was one of the first political scientists examining how states begin to militarize cyberspace, what the consequences for global communication environment are, and which forms of resistance occur.

Discusses the ethical problems posed by waging war through the use of new information-and-communications technologies. Includes stimulating contributions that reveal the benefits and limitations of the Just War theory and alternative approaches to solve these problems.

As a part of a roundtable on whether cyberwarfare is a significant threat, this article calls for a research program for the study of cyberwar and provides a theory-oriented approach from the principal-agent perspective.

Another contribution to building a framework for understanding cyberthreats and their consequences for security, taking the perspective of international security studies. Argues that cyberweapons constitute a new threat marked by the use of nonmilitary means of nontraditional actors to inflict economic and social harm that further expands the scholarly conceptualization of security.

Combines insights from IR, security studies, political theory, and social theory to study the politics of cybersecurity, illustrating how cybersecurity communities’ understanding of time and temporality influences the political practice of cybersecurity and creates a sense of urgency for pervasive and robust countermeasures against threats.

Cybersecurity and Cyberpower

Related to the scholarship on cybersecurity is the literature on how cyberspace shapes power in international politics, and the impact these shifts have on the perception and meaning of national and international security. Defining cyberpower as an actor’s ability to obtain preferred outcomes within and outside cyberspace by employing electronically interconnected information resources, Nye 2011 highlights that the current information revolution changes the nature of power and increases its diffusion from powerful states to smaller states and nonstate actors. The author cautions that this aspect of power diffusion might be more threatening to international security than power shifts from established powers to states in the Global South. David Betz (Betz 2012) agrees but argues in contrast to Joseph Nye that greater connectivity has a perpetuating effect, if any, on the current global distribution of military power capabilities. His argument is built on a conceptual work (Betz and Stevens 2011), which constructs a multidimensional concept of cyberpower. Ebert and Maurer 2013 demonstrates that, in contrast to mainstream assumptions in IR neorealist theories, rising powers have not pursued concerted power-balancing policies against the US cyber hegemony, and that the outcome of cyber competitions among rising powers significantly shapes the conflict proneness of the future information-based order. Klimburg 2011 provides an insightful conceptualization of cyberpower, the relationship between the state and nongovernmental actors, and the use of proxy actors to project power.

Argues, in contrast to Nye, that the information revolution has a limited effect on the distribution of power among states and that greater connectivity, if anything, reinforces the existing distribution of military power, but agrees with him that nontraditional strategic actors benefit disproportionately and that states should focus doctrinal adaptations on this aspect.

Balanced study of the effects of cyberspace on the ways in which states project power. Develops a multidimensional concept of “cyber-power” entailing compulsory, institutional, structural, and productive dimensions. Involves a discussion on sovereignty, war, and dominion in cyberspace, concepts that are closely linked to cybersecurity, arguing that cyberwar is unlikely.

Examines the cybersecurity policies of the member states of the BRICS grouping (containing Brazil, Russia, India, China, and South Africa), which seem to defy traditional assumptions by balance-of-power theories.

Provides a conceptualization of cyberpower and the role of the state and nongovernmental actors and discusses how states such as China and Russia project cyberpower by covertly or overtly using nonstate actors for deniable cyberattacks.

Building on his previous, seminal scholarship on power, Nye offers pioneering work on how, in the global information age, the characteristics of cyberspace enhance the diffusion of power, which might well constitute a greater threat to international security than power transition (in chapter 6 of this book on power generally, which is based on an earlier report).

Cybersecurity through the Lens of Securitization Theory

An increasing number of studies on cybersecurity have adopted the perspective of securitization theory, a diverse IR approach associated with the Copenhagen school that draws on constructivist, realist, and post-structuralist assumptions and methods. In general, the theory analyzes why, how, and with what consequences particular issues are constructed as distinct national or international security concerns legitimizing extraordinary measures such as the use of force, large-scale intelligence gathering, and invasion of privacy. Cyber issues have been framed as security concerns since the 1980s but became constructed as existential threats to national security only in the post–Cold War era and in particular in the first decade of the 21st century, when uncertainty related to technological innovation, rising powers in the Global South, and transnational terrorism increased. In this context, risks became framed in terms such as “weapons of mass disruption” and “electronic Pearl Harbors” (compare Munro 1995, cited under Cyberconflict). Eriksson and Giacomello 2006 builds on the senior author’s earlier work on securitization of information technology in Sweden to highlight the relative advantages of the securitization perspective compared to liberal and realist accounts. Hansen and Nissenbaum 2009, the senior author among the leading scholars of securitization theory, argues that cyberspace has become an additional sector next to the traditional military, political, economic, societal, and environmental sectors in which securitization can take place. Cavelty 2013 broadens this perspective at the theoretical level by combining securitization theory with discourse theory, as well as at the empirical level, by exploring how a selection of cybersecurity policies rely on competing threat representations. Deibert and Rohozinski 2010 and Morozov 2011 identify a wave of securitization efforts in the first decade of the 21st century and discuss its implications for Internet freedom.

Cavelty, Myriam Dunn. “From Cyber-bombs to Political Fallout: Threat Representations with an Impact in the Cyber-security Discourse.” In Special Issue: International Relationships in the Information Age. International Studies Review 15.1 (2013): 105–122.

On the basis of the author’s earlier work on cybersecurity and cyberthreat politics in the United States, the article combines securitization theory with discourse theory to explore the language used to turn political issues related to cyberspace into security matters. Cavelty identifies three main threat representations and links these to selected cybersecurity policies and practices.

Early attempt to review IR’s value to understand cybersecurity, contending that the constructivist focus on social images and language emphasized in securitization theory and the liberal emphasis on interdependence promise a relatively greater potential than do realist accounts to understand the impact of the information revolution on security.

Adopts securitization theory to analyze the securitization process in the case of cyberattacks against Estonian institutions in 2007, which illustrates that the distinct constellation of threats and referent objects makes cybersecurity a distinct sector.

Highly readable and provocative account of the political ramifications of the spread of the Internet, highlighting how the latter constricts and abolishes freedoms both in democratic and authoritarian states when security actors dominate the discourse.

Cyberthreats and Cyberrisks

The scholarship on cybersecurity threats to international security covers a range of different actors. It also includes foundational debates about the nature of the threat and the technology’s impact on conventional conflict and war. For example, the debate over whether cyberwar will or will not take place consumed scholarly attention for several years. Similarly, cyberterrorism has been a persistent theme in the literature, eventually shifting toward studies on how terrorists use the Internet. Both have been partly a discussion about definitions, and the growing scholarship conceptualizing cyberweapons and cyberconflict has shed a more nuanced light on the distinctions between various cybersecurity threats, ranging from espionage to sabotage, warfare, and terrorism. The literature on cyberconflict has been expanding to include more-formal models on the timing of cyberconflict, to discuss the relationship between cyberwarfare and conventional conflict, and to analyze the type of effects that are unique to cyberoperations. With regard to actors, more state-centric perspectives have been complemented by a growing body of articles examining proxy actors, independent hacktivist groups, and private-sector-active cyberdefense.

The Cyberwar Debate

Clarke and Knake 2010, titled Cyber War, sparked a revival of scholarly attention in cyberwar and an international debate about whether cyberwar will or will not take place. Unlike previous scholarly discussions of this topic, this time it occurred against the backdrop of the news coverage of the Stuxnet malware, the first cyberattack to have arguably crossed the use-of-force threshold, causing physical damage to an Iranian nuclear facility. Zetter 2014 remains the most comprehensive account of Stuxnet to date. While Clarke and Knake 2010 warns of the dangers of cyberwar, Rid and Arquilla 2012 and Rid 2013 constitute a rebuttal offering a skeptical assessment of its occurrence. Thomas Rid applies classic political-science concepts such as number of deaths in a conflict to discuss its qualification as war. His publication in turn prompted a series of responses, including by early cyberwar theorist John Arquilla (Arquilla 2012) and by John Stone (Stone 2013), and increasingly nuanced discussions of the potential effects of cyberoperations illustrated by Gartzke 2013 and Lindsay 2013, the latter a detailed discussion of Stuxnet and its implications in 2013.

This book triggered a new debate in the United States and abroad over the possibility of cyberwar and threats to the United States. It paints an alarmist picture of the increasing number of vulnerabilities and risks as the Internet has been expanding, with specific proposals with recommendations for how to address it.

A nuanced review of the debate about whether cyberwar will or will not take place, placing cyberoperations into the broader political context and making the case for a logic of consequences to apply in evaluating the likelihood of cyberwarfare. Ultimately, expresses a skeptical view about the notion of cyberwar per se.

In-depth analysis of Stuxnet by a former US Navy officer, arguing that offense is not as easy as commonly assumed given the complexity required to deploy a cyberweapon, thereby contradicting the dominant cyberrevolution thesis that cybercapabilities give an advantage to stronger over weaker actors.

This publication is Rid’s book-length expansion of the argument he advanced with Arquilla in their Foreign Policy article (Rid and Arquilla 2012), embedding the assessment over whether cyberwar will or not take place in the broader political-science literature and theory on war.

Cyberconflict

The debate about whether cyberwar will or will not take place ultimately focused on questions of thresholds—namely, the number of fatalities and the scale of physical damage. While important, it also distracted scholarly attention from investigating the effect and implications of the vast majority of cyberincidents occurring to date that remain below such thresholds and the legal threshold of use of force and armed attack. The cyberwar debate informed the linguistic shift away from Neil Munro’s description of the fear of an electronic Pearl Harbor (Munro 1995) toward notions of cyberconflict rather than war and toward the notion of cybered conflict rather than cyberconflict. Rattray 2001, a discussion of strategic warfare in cyberspace, outlines many of the themes and arguments still present in the cybersecurity literature today. After the hiatus and shift following the 9/11 terrorist attacks, scholarly attention started to focus on cyberspace again several years later. For example, the publication of Cornish, et al. 2010 followed cyberincidents making front-page news, such as the 2007 distributed-denial-of-service attack disrupting many online services in Estonia. Lin 2012 discusses escalation dynamics and conflict termination, illustrating the growing depth of the scholarly cybersecurity discussion and the combination of political with technical analysis. This includes Dombrowski and Demchak 2014, which advances the notion of cybered conflict instead of cyberconflict to highlight that actions in cyberspace are usually coupled with broader political tensions and conventional actions. And the authors of Axelrod and Iliev 2014 are among the first scholars to apply formal, mathematical modeling to cyberconflict.

Axelrod, Robert, and Rumen Iliev. “Timing of Cyber Conflict.” Proceedings of the National Academy of Sciences of the United States of America 111.4 (2014): 1298–1303.

Analyzes and provides a mathematical model for the optimal timing for the use of cyber resources, applying it to the following case studies: Stuxnet malware targeting an Iranian nuclear facility, cyberattack wiping hard drives of the Saudi company Saudi Aramco, cyberespionage by the Chinese government, and China exercising economic coercion against Japan.

Examines cyberoperations primarily from the perspective of its implications for US national security, particularly the US Navy and maritime space, preferring to use the term “cybered conflict” instead of “cyber war.”

Offers one of earliest quotes drawing analogy to Pearl Harbor, by citing Robert Ayers, head of the Defense Information Systems Agency’s information warfare unit, saying that “We are not prepared for an electronic version of Pearl Harbor. . . . Our [electronic] infrastructure is not safe and not secure.”

Written at the turn of the 21st century, this systematic analysis discusses strategic information warfare, delineating it from economic competition. It focuses on the strategic effects that political actors might achieve, comparing it to the concept of strategic air power developed after World War I and strategic information warfare developed in the 1990s.

Cyberoperations and Cyberweapons

The functioning and potential effects of cyberoperations and cyberweapons closely relate to the debate over whether cyberwar will or will not take place and are integral parts of the scholarship on cyberconflict. These are also at the center of what differentiates information operations from cyberoperations. Libicki 1995, a discussion and conceptualization of information warfare, is an early attempt to distinguish among information warfare, electronic warfare, and cyberwarfare. Belk and Noyes 2012, on the use of the offensive cybercapabilities, reflects the evolution in conceptual thinking in the interim years, with Liff 2012, Peterson 2013, and Herr 2014 offering increasingly detailed analysis of the composition and functioning of cyberweapons. Brown and Metcalf 2014, in turn, provides a legal perspective on the concept of cyberweapons and related challenges.

Belk, Robert, and Matthew Noyes. On the Use of Offensive Cyber Capabilities: A Policy Analysis for the Department of Defense Office of Cyber Policy. Policy Analysis Exercise. Cambridge, MA: John F. Kennedy School of Government, 2012.

Argues that academic approaches to cyberweapons are difficult to translate into practical legal concepts for military advisers. Instead proposes to focus on the context of how a capability will be used, describing different techniques before discussing application of existing law to cyberweapons and subsequently proposing a definition of “cyber weapon.”

A comprehensive analysis of the increasingly popular concept of “information warfare” at the time, arguing that information warfare does not exist as a distinct warfare technique and distinguishing among seven different forms of information warfare.

Excellent primer into the concept of a cyberweapon, specifically focusing on industrial control systems and highlighting that they are relatively cheap to develop but difficult yet possible to deploy, and that maintaining a link to and persistent access to the deployed weapon is the most challenging aspect.

Nongovernmental Actors and Cybersecurity

In addition to the scholarship on interstate warfare in and through cyberspace, there has been a growing number of publications analyzing the role of nongovernmental actors in the context of cyberconflict. Applegate 2011, a discussion of cybermilitias and political hackers, represents a growing interest in the role of nongovernmental actors. Schmitt and Vihul 2014, for example, provides an in-depth examination, from an international-law perspective, of proxy actors and how they are used by states, whereas Coleman 2014 offers a detailed anthropological account of the Anonymous hacktivist group. Meanwhile, Lachow 2013 and Brangetto, et al. 2014 (the latter published following the sixth international CyCon conference, in Tallinn, Estonia) focus on active cyberdefense by private companies.

Following the cyberincidents in Estonia and Georgia, this article examines the role and status of nongovernmental actors carrying out malicious cyberactivity, discussing if they should be treated as combatants or criminals.

This book provides an anthropological study of the hacktivist network Anonymous from its evolution to the date of the book’s publication. It is one of the most comprehensive analyses of Anonymous, tracing its evolution and interactions with governments and other actors and providing a unique insight based on the author’s access.

Provides in-depth analysis of existing thresholds in international law applying to proxy actors, arguing that these thresholds are very high, predict states’ continuous use of nonstate actors, and observe little appetite of the international community to establish a treaty regime.

Cyberterrorism

Cyberterrorism is a special category relating to nongovernmental actors and is worthy of a stand-alone section. To date, there has been no terrorist attack resulting from hacking. The cyberterrorism literature can be divided into publications studying the terrorist use of the Internet, such as the use of social media for recruitment and communications purposes, and publications discussing terrorists launching an actual cyberattack, which remains a hypothetical to date. Conway 2002 sheds light on the sometimes confusing and sometimes sensationalist cyberterrorism terminology and how it’s been used in the literature; the author’s insights are valid to this day. Weimann 2004 assesses the cyberterrorism threat three years after 9/11, and Chen, et al. 2014 presents an updated assessment ten years later. The International Law Association created a study group on cybersecurity, terrorism, and international law in late 2013, which provided an overview of relevant international legal issues relating to cyberterrorism (Fidler 2015). In a latest development, a drone strike killed a hacker affiliated with a terrorist group for the first time in 2015, as described in a Wall Street Journal article (Coker, et al. 2015).

Book consisting of ten chapters written by contributors from multiple disciplines, examining legal definitions of cyberterrorism and discussing cyberterrorism in the broader context of terrorism, and cyberthreats more generally.

Discusses what constitutes cyberterrorism, reviewing existing literature on the issue and arguing that terrorist use of the Internet has often been confused with the more sensationalist cyberterrorism terminology.

Provides a comprehensive analysis of international law relating to cyberterrorism, acknowledging that there is no known case of terrorists having successfully launched a destructive cyberattack but that it has been identified as a potential threat repeatedly in cybersecurity-related publications.

Argues that the cyberterrorism threat has been exaggerated but that cyberterrorism is a potential threat and that fears of its occurrence have been driven by psychological, political, and economic factors.

Geopolitics of Cybersecurity

The theoretical scholarship on cyberwar and cyberconflict and the type of actors involved has been complemented by a growing body of literature on the geopolitics of cybersecurity as well as government strategies and policies relating to cyberspace. The United States, China, and Russia are among the most sophisticated state actors in cyberspace and are heavily involved in international discussions about cyberconflict, and therefore they merit stand-alone sections. In addition, North Korea deserves special attention in light of its use of offensive cyberoperations, as do countries in the Middle East (namely, Israel and Iran). The cyberattack against Saudi Aramco is included to shed light on the developing threat landscape and escalatory development in the early 21st century. Meanwhile, a New York Times article about hackers in Argentina and a BBC article about the arrest of Chinese hackers in Kenya illustrate the global dimension of the cybersecurity ecosystem.

The United States and Cybersecurity

The United States remains the only superpower in the world, often setting precedents and standards emulated by other countries, including regarding cyberspace and cyberconflict. In 2010, William Lynn, US deputy secretary of defense at the time, declares cyberspace to be a new operational domain for the US military (Lynn 2010). Meanwhile, the Obama administration expressed a specific desire for rules of the road for cyberspace in its 2011 international strategy for cyberspace (Obama 2011), influenced by a growing sense of vulnerability and an increasing number of states developing military doctrines for cyberspace. A unique insight into some of these vulnerabilities is provided by former senior counsel at the US National Security Agency, Joel Brenner (Brenner 2011). The complexity of cybersecurity is detailed in the President’s Review Group on Intelligence and Communications Technologies (US Government, the White House 2013), established in response to the disclosures by Edward Snowden in 2013, which produced one of the most detailed discussions of cybersecurity, including the implications for security and liberty. One particularly crucial aspect was further discussed in an unprecedented White House blog post describing the US government’s process for deciding when to disclose a vulnerability (Daniel 2014). The US government’s international vision gained further contour with the 2014 report of the US Department of State’s International Security Advisory Board, outlining the vision for international cyberstability (US Department of State, International Security Advisory Board 2014). Five years after Lynn 2010, the Pentagon released its new cyberstrategy, acknowledging offensive capabilities (US Department of Defense 2015), and Secretary of State John Kerry outlined five specific norms to govern behavior in cyberspace in his 2015 speech in South Korea in furtherance of the goal of international cyberstability (Kerry 2015).

Brenner, Joel. America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. New York: Penguin, 2011.

Written by former senior counsel at the US National Security Agency, this book, written for a popular audience, offers an insightful outline of various cybersecurity threats and the new challenges and questions they present.

This blog post published by the White House on its website provides a rare outline and some details about the government’s vulnerability equities process and decision making for when to withhold or disclose knowledge of computer vulnerabilities.

Outlines the Obama administration’s international strategy for cyberspace, including stating in the section on deterrence that “the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”

This cyberstrategy released by the Pentagon reflects a shift in policy, with the Department of Defense no longer narrowly focused on its own networks but defending US interests from cyberincidents, with significant consequences, as well as acknowledging offensive capabilities.

Established in the wake of the disclosures by Edward Snowden, this high-level expert group established by the US president reviewed the US government’s intelligence and cybersecurity policies and practices, issuing recommendations on a broad set of issues beyond the immediate question of surveillance.

China and Cybersecurity

Mirroring US military discussions about cyberwarfare, Qiao Liang and Chiangsui Wang, two PLA officers, argue in Liang and Wang 1999 that China should use such means to exploit its asymmetric advantages. Zhang 2012 offers more insight into the Chinese perspective on cybersecurity, demonstrating that beyond the military use of the Internet, China’s view on cybersecurity is broader than that of the US government and many others to also include content under the broader concept of information security. Meanwhile, the threat perception of Chinese espionage increased significantly over the years, leading to in-depth studies of Chinese intelligence activities such as Inkster 2013 as well as Krekel, et al. 2012. Lindsay 2014–2015 offers an additional analysis of China’s cybersecurity strategy and is particularly noteworthy for trying to view the issue from China’s perspective. Lieberthal and Singer 2012 in turn explores the increasing tensions around cybersecurity in the broader context of US-China relations. Against the backdrop of increasingly alarmist media coverage, Lindsay, et al. 2015 provides a detailed analysis of the issues, tensions, and complexity involved. Meanwhile, Marczak, et al. 2015 documents the early-21st-century escalatory development related to China’s broader conception of cybersecurity tied to its domestic concerns.

Provides a historical analysis of intelligence in China and the evolution of Chinese foreign intelligence agencies after World War II, as well as an outline of current intelligence organizational structures and Chinese use of cybercapabilities.

Written for the U.S.-China Economic and Security Review Commission, this more than 100-page report by Northrop Grumman provides a detailed description of China’s cybercapabilities, doctrine, and organizational structures.

Report based on the discussions of a yearlong working group studying US-Chinese relations in the context of cybersecurity, identifying it as an issue of growing concern and outlining an agenda for bilateral engagement on the topic.

Provides a nuanced analysis of China’s approach and policies regarding cyberspace, arguing that the perceived threat from China is exaggerated and does not take into account China’s own vulnerabilities.

The thirteen chapters of this book provide a unique, comprehensive analysis of China’s cybersecurity policies, institutions, and challenges, including contributions from Chinese experts (one of whom is a member of the PLA), presenting an insight into Chinese perspectives on cybersecurity.

In-depth, comprehensive (including technical) analysis of the large-scale distributed-denial-of-service attack against GitHub and GreatFire.org servers carried out by a Chinese offensive system dubbed “Great Cannon.”

An article by a director of the China Institutes of Contemporary International Relations, the think tank of China’s Ministry of State Security and cosponsor of the Sino-U.S. Cybersecurity Dialogue, outlining a Chinese perspective on cyberwar and suggesting four basic principles for the international community to adopt.

Russia and Cybersecurity

Russia is one of the most advanced cyberpowers. A detailed and historical overview of the government’s approach to cyberspace is provided in Soldatov and Borogan 2015. In 1998, Russia proposed an international cybersecurity treaty and initiated the process at the UN, focusing on the use of information-and-communications technologies in the context of international security, which has become the center of the international community’s discussion about cybersecurity norms today. Meanwhile, Russia’s perspective and approach to cybersecurity differ significantly from that of the United States, which is the focus of three articles written by Russian experts, focusing on the military use of the Internet (Bazylev, et al. 2012), international law and norms (Streltsov 2007), and the application of arms control (Dylevsky, et al. 2014). Russia attracted particular scholarly attention following the cyberincidents in Estonia in 2007 and in Georgia in 2008 and the conflict in Ukraine, which Geers 2015 and Tikk, et al. 2010 investigate in detail.

Discusses the concept of information weapons from a Russian perspective and explores and argues in favor of applying arms control to cybersecurity, using the nuclear nonproliferation regime as a case study.

A unique piece of investigative journalism tracing the history of Russia’s surveillance system and intelligence agencies, providing insight into the Russian government’s perspective on information security.

Provides a historical review of the international community’s efforts to develop norms as well as insight into the Russian perspective on the application of international law, including discussing the issue of territory, attribution problem, and critical infrastructure.

Other Selected Countries and Regions Noteworthy in Cybersecurity Geopolitics

Several other countries must be highlighted in the context of geopolitical trends relating to cybersecurity, given their sophisticated and increasingly sophisticated capabilities such as Israel, North Korea, and Iran, in addition to the world’s great powers. Jun, et al. 2015 focuses on North Korea, which deserves special attention in light of its use of offensive cyberoperations. Feakin, et al. 2015 provides an overview of cybersecurity developments in twenty countries in the Asia-Pacific region. Lewis 2014 discusses cybersecurity from the perspective of the Gulf region, while Bronk and Tikk-Ringas 2013, an analysis of the cyberattack against the oil company Saudi Aramco, is included to shed light on the developing threat landscape and escalatory development in the early 21st century. Tabansky and Ben Israel 2015 offers a comprehensive analysis of cybersecurity in Israel. Meanwhile, a New York Times article about hackers in Argentina (Perlroth 2015) and a BBC article about the arrest of Chinese hackers in Kenya (BBC 2014) illustrate the global dimension of the cybersecurity ecosystem. Abdenur and Pereira da Silva Gama 2015 is included to provide a reference and analysis of Brazil’s diplomatic efforts to curb cyberespionage following the Snowden disclosures.

Analyzes Brazil’s diplomatic initiative for international regulation of cyberespionage in response to the Snowden disclosures, using the literature from international relations (IR) norms and discussing the reframing of espionage through a human rights rather than a security lens.

Comprehensive analysis of the cyberattack against the Saudi Arabia–based oil company Saudi Aramco, the most damaging cyberattack against a private company at the time and interpreted as a new escalatory development.

This second annual assessment provides a ranking of twenty countries in the Asia-Pacific, scored on a series of indicators ranging from governance to cybercrime, military, business, and social, including data on new developments and key trends in the region.

A comprehensive and in-depth analysis of North Korea’s cyberoperations, containing an outline of North Korea’s broader strategy, including its cyber component as well as its organizational structures. The project directors were Victor D. Cha and James Andrew Lewis.

One of the first, lengthier reports analyzing cybersecurity in the Middle East from the perspective of the Gulf, highlighting that stand-alone cyberincidents are part of a broader political pattern and conflict including the United States.

Laws, Norms, and Response Mechanisms in Cybersecurity

Whereas the debate around 2010 still focused on assessing whether cyberthreats are real or not, the growing number of cyberincidents from Stuxnet to the Great Cannon and the Bangladeshi Central Bank cyberheist has since given way to a more nuanced and detailed discussion of how to address the threats and how they relate to existing concepts and frameworks. Kanuck 2010 discusses how sovereignty and public international law apply to cyberspace, a topic that is also the focus of Demchak and Dombrowski 2011, which argues that states are increasingly imposing Westphalian notions of sovereignty to the Internet. Healey 2011 offers a spectrum for assessing state responsibility for cyberattacks, while Clemente 2013 evaluates what infrastructure should be considered critical. Skierka, et al. 2015 provides a general overview of response teams to computer security incidents, and the nascent global-assistance regime. Barrett 2013 illustrates the growing number of publications assessing the use of cyberoperations from an ethical perspective, with Arquilla and Ronfeldt 1993 being among the first studies advancing the argument that cyberwarfare could potentially lead to a less violent form of warfare. Hughes 2010 explores the feasibility of a new cybersecurity treaty, whereas Lin 2012 highlights the challenges of applying traditional arms controls to cyberspace.

One of a growing number of contributions by scholars of philosophy and ethics to the discussion about rules of the road for cyberspace and potential restraints for the offensive use of the Internet for military purposes. The author discusses the ethical implications of offensive cyberoperations from a perspective of jus ad bellum and jus in bello.

Evaluates critical infrastructures from the perspective of global interdependence. This report includes a set of recommendations based on the assessment that significant global interdependence exists among critical infrastructures with growing challenges.

Argue that states are taking steps to replicate borders and to impose Westphalian sovereignty onto cyberspace, viewing Stuxnet as a turning point. The authors encourage this process partly for practical reasons, to make harm through offensive cyberoperations more difficult.

This article discusses states’ use of nongovernmental actors as proxies and how they can be held responsible. It provides an outline of the various relationships, mapping it onto a spectrum of state responsibility.

This article, written by the US national intelligence officer for cyber issues, discusses sovereignty in the context of cyberspace, the application of public international law, and norms and strategic considerations.

Highlights the challenges for an international cybersecurity agreement and the differences to traditional arms control. Discusses challenges around verification and enforcement as well as the role of transparency and confidence-building measures.

International Law and Cyberspace

The international community has been actively discussing the role and application of international law to cyberspace. Until 2013, there was active contestation by some states such as China of applying existing law, proposing to develop new law instead. Meanwhile, international lawyers have been studying how to interpret specific international-law provisions in their application to cyberspace, primarily focusing on jus ad bellum and jus in bello. Sharp 1999 provides an early analysis of how the law governing the use of force applies to cyberspace, as does Dörmann 2004, a discussion focusing on the Additional Protocols five years later. Hathaway, et al. 2012 provides an in-depth analysis of the law applying to cyberattacks. Similarly, Roscini 2014 focuses on how international humanitarian law can be applied to cyberoperations. The Tallinn Manual on the International Law Applicable to Cyber Warfare (Schmitt 2013), developed by Michael Schmitt and a group of international lawyers, is the most comprehensive analysis of how international humanitarian law applies to cyberspace. Harold Hongju Koh (Koh 2012), in his role as the legal adviser of the US Department of State, outlines the US government’s perspective on the application of international law. Lin 2011 pushes the envelope of how international law applies, by focusing on cyberincidents whose effects remain below the threshold of use of force and armed attack, which includes the vast majority of incidents to date. Similarly, Schmitt 2015 offers an in-depth assessment and argument in favor of applying the legal concept of due diligence to cyberspace.

Deputy head of the International Committee of the Red Cross’s legal division analyzes the application of international humanitarian law to computer network attacks, arguing that given Article 36, the Additional Protocols were likely intended to cover such new means of warfare, largely sharing Schmitt’s views outlined in the latter’s article in the same volume.

Outlining his views in his role as legal adviser of the US Department of State while on leave from Yale Law School, Koh wrote this article as the footnoted version of a speech he gave at the US Cyber Command in September 2012.

Lin, Herbert. “Responding to Sub-threshold Cyber Intrusions: A Fertile Topic for Research and Discussion.” In Special Issue: International Engagement on Cyber: Establishing International Norms and Improved Cybersecurity. Georgetown Journal of International Affairs 11 (2011): 127–135.

Focuses specifically on cyberintrusions below the threshold of use of force and armed attack, highlighting that while nearly all incidents to date fall into this category, scholars have spent significantly more attention discussing potential incidents above the threshold.

Consisting of five chapters, this book analyzes the application of international humanitarian law to cyberspace, with a chapter each on cyber operations in the context of jus ad bellum and jus in bello followed by chapters focusing on the conduct of hostilities and on the law of neutrality specifically.

Detailing the consensus view of an independent group of twenty international-law experts and written under the auspices of NATO’s Cooperative Cyber Defence Centre of Excellence, the Tallinn Manual represents the most comprehensive analysis at the time of its publication of the application of international law relating to cyberwarfare and has since become an important reference document for this legal discussion.

In-depth discussion of how the principle of due diligence in international law could apply to cyberspace, including its preventive dimension, exploring pros and cons of its application and ultimately arguing in favor of its application.

Comprehensive analysis by former deputy legal counsel to the chairman of the US Joint Chiefs of Staff on how existing international law applies to the use of force in cyberspace, arguing that existing international law applies and that potential further attempts to regulate such activities first require an understanding of the application of existing law and identification of potential gaps.

Norms and Cybersecurity

Complementing the consultations over the applicability of existing international law to cyberspace, much of the international community’s discussion for rules of the road for cyberspace has centered on the concept of norms. Finnemore 2011 discusses norms for cyberspace in the context of the broader related international relations (IR) literature, while Hollis 2011 is an example of a specific norm proposed for cyberspace, using an analogy to existing norms. Kavanagh, et al. 2014 describes the various international fora where the norms discussion is taking place, and Hurwitz 2015 and Farrell 2015 offer substantive input for which norms to apply and develop for cyberspace. The reports by the groups of governmental experts developed under the auspices of the UN (UN General Assembly 2013, UN General Assembly 2015) and the 2015 G20 communiqué (G20 Leaders’ Communiqué) outline the international community’s views, to date, on how international law and norms apply to cyberspace. Osula and Rõigas 2016 provides current expert perspectives on international cybersecurity norms.

Argues that the US government’s efforts to promote norms for cyberspace suffered a setback following the Edward Snowden disclosures in 2013, and therefore recommends reforming US intelligence activities, providing more evidence when shaming actors, and assigning a leadership role for other states and private actors in promoting such norms.

First multilateral, head-of-state-level agreement that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

On the basis of discussions at the MIT / Harvard University / University of Toronto cyber norms workshops in 2011 and 2012, this report discusses in eight chapters the evolution of the West’s cyber norms and alternative models, the applicability of international law, norms, technological foundations, and roles of various actors.

Provides comprehensive overview of international processes at regional and global levels from 2011 to 2013, focusing not just on cybersecurity but on other related information and communications technology (ICT) issues from a broader diplomatic lens.

This publication consists of eleven chapters discussing cyber norms from the perspectives of international law the and US Department of Defense Law of War Manual; the process at the UN; and confidence-building measures, in comparison to space, with regard to China; as well as from the perspective of the private sector.

Following the first consensus report adopted by the preceding group of governmental experts under the auspices of the UN in 2010, this report is particularly noteworthy for its affirmation that existing international law and the UN Charter apply online as well as offline, after years of resistance by some states.

Building on UN General Assembly 2013, this document is the first detailed report adopted by the group of governmental experts under the auspices of the UN, with specific details regarding the application of international law and outlining specific norms for cyberspace.

Confidence-Building Measures and Cybersecurity

Emulating the concept of confidence-building measures (CBMs) developed during the Cold War, states in the early 21st century have started to focus on enhancing transparency and cooperation in the context of cybersecurity to reduce misperceptions and mistrust. Lewis 2011 argues for this approach, and the UN Institute for Disarmament Research Cyber Index (UN Institute for Disarmament Research 2013) discusses CBMs in depth, including their history and application to cyberspace. Healey, et al. 2014 proposes to advance CBMs for collaboration, crisis management, restraint, and engagement by not only relying on states but including nongovernmental actors, too. The 2016 agreement of the Organization for Security and Co-operation in Europe (OSCE) member states provides the most comprehensive list of CBMs for cyberspace to date, building on the initial agreement in 2013 (Organization for Security and Co-operation in Europe 2016).

Proposes a multistakeholder-centric approach including nongovernmental actors to developing CBMs for cybersecurity, outlining four types of CBMs ranging from collaboration to crisis management, restraint, and engagement.

In addition to providing an update to the 2011 cyber index of countries’ cybersecurity postures, this publication includes an extended discussion of CBMs generally and their history and evolution, as well as their early-21st-century application to space and cyberspace.

Deterrence and Cyberspace

Much of the strategic literature developed after World War II focused on the concept of deterrence. Comprehensive frameworks of deterrence were soon adapted specifically for the context of the Cold War and nuclear deterrence. Nye 2011 compares nuclear deterrence to deterrence in cyberspace, providing a nuanced assessment of its limitations and insights. Libicki 2009 offers an in-depth analysis of how to apply deterrence for cyberspace, while Goodman 2010 discusses a series of cyberincidents from the perspective of deterrence failures. Denning 2015 argues that cyberspace is not that different from other domains and that deterrence ought to be discussed not in the context of cyberspace writ large but with respect to specific cyberweapons. A central theme of the scholarship on deterrence and cyberspace focuses on attribution, with Lupovici 2016 applying constructivist theory to the attribution problem and Rid and Buchanan 2015 providing a comprehensive review of the literature and synthesizing it in a new model. Stevens 2012 explores deterrence in relationship to norms, and Tang, et al. 2010 provides perspectives on deterrence from China, Russia, India, Norway, and the United States.

Argues that other domains of warfare except land are as much man-made as cyberspace and that cyberspace has many similarities to other domains, including significant constraints vis-à-vis its malleability. Moreover, the author suggests discussing deterrence in the context of specific cyberweapons rather than the domain as a whole.

Uses the distributed-denial-of-service attack against Estonia in 2007 and the conflict in Georgia in 2008 in addition to three espionage incidents as case studies for deterrence failures and discussing the implications for broader deterrence theory.

In-depth analysis of deterrence in the context of cyberspace, discussing asymmetric advantages and incentives for states to use offensive cyberoperations. Includes sections on strategic cyberwar and operational cyberwar, and a discussion of why intent of the attacker matters.

Applies constructivist theory to discuss the attribution problem and deterrence in the context of cybersecurity. The author uses Stuxnet as a case study to examine social factors and the social construction of violence influencing actors’ behavior.

Key article on the evolving debate about analogies between nuclear threats and cyberthreats and concomitant deterrence and strategies. Argues that despite numerous differences, comparing the initial uncertainty about nuclear threats, strategies, and cooperation in the Cold War helps put into perspective current challenges in designing cybersecurity policies.

Reviews state of the art of the literature on the attribution problem in cyberspace, concluding that attribution is not as difficult as it was perceived to be and offering a model to guide the process to determine attribution.

Analyzes deterrence in cyberspace by reviewing the evolution of US cyberdeterrence theory, discussing the relationship between deterrence and norms, and studying the US approach and the role of deterrence and norms, as well as other norm entrepreneurs (namely, Russia).

International Institutions

Governments have engaged in regional and global institutions to enhance cooperation on reducing cybersecurity threats. Nye 2014 analyzes the evolution of a cybergovernance regime complex through the lens of regime theory. Choucri, et al. 2014 adopts institutional theory to depict the institutional landscape of national and international responses to cybersecurity threats more specifically. The authors find that the level and scope of organization and cooperation is steadily increasing, but they argue that the cybersecurity “institutional ecosystem” as a whole is still under construction and that its multiple components are often disconnected. An early and comprehensive analysis of international institutional responses to cyberthreats is provided in Portnoy and Goodman 2009. These overviews reveal that the evolving cybersecurity regime complex consists not only of regional and international governmental organizations and groupings, but also of nonprofit and for-profit international nongovernmental organizations. In addition to these analyses, the NATO Cooperative Cyber Defence Centre of Excellence maintains an interactive database (INCYDER) that provides a periodically updated overview of the multiple multilateral organizations active in cybersecurity, as well as access to the relevant legal and policy documents these organizations adopted.

Provides an empirical catalogue of national and international institutions responding to cyberthreats and cybercrime, selected via criteria defined by institutional theory, arguing that the institutional architecture has significantly developed but is still evolving as it needs to design new pertinent mechanisms.

INCYDER is the acronym for International Cyber Development Review. Catalogues the major regional and international organizations, outlines the evolution of their activities and the main bodies in the cybersecurity area, and provides regularly updated access to the key documents.

Takes the perspective of regime theory to map cybergovernance activities more broadly and finds that while there is no single regime for the governance of cyberspace, a regime complex—a loosely coupled set of institutions and norms—has emerged. It finds the issue of cyberwar to be highly state controlled and to involve many actors that contest the existing norms.

Global Institutions and Cybersecurity

International institutions operating at the global level have been focusing on cybersecurity particularly since the late 1990s. The Group of Eight (G8), an intergovernmental grouping of eight nations representing the majority of the world’s economy at the time, established the G8 24/7 High Tech Contact Points network in 1997 to facilitate communication between governments and help them share information on evolving threats. Almost two decades later, the heads of member states of an enlarged grouping representing the world’s leading economies, the G20, issued a statement outlining a norm against theft by states that is information and communications technology (ICT) enabled (G20 Leaders’ Communiqué, cited under Norms and Cybersecurity). Among the treaty-based, decision-making global international organizations, the UN has been the most active in discussing cybersecurity. Maurer 2011 traces the complex involvement of multiple UN bodies in cybersecurity, including the First Committee of the UN General Assembly to the International Telecommunications Union (ITU) as a specialized agency and their roles in the discussion on international norms. Importantly, the UN established the group of governmental experts (GGE), which first convened in 2004 and since then has produced influential reports detailing states’ perspectives on international norms for cybersecurity. UN General Assembly 2013 (cited under Norms and Cybersecurity) contains the group’s second consensus report, including the agreement that existing international law applies online as well as offline. The provisions in UN General Assembly 2013 are further consolidated and specified by a successor report (UN General Assembly 2015, cited under Norms and Cybersecurity), which also details a list of voluntary norms. Meanwhile, the Organisation for Economic Co-operation and Development (OECD) issued a new set of guidelines in 2015, replacing those of 2002 and highlighting the importance of digital security for economic stability (Organisation for Economic Co-operation and Development 2015).

A governmental informal network created by the G8 in cooperation with the International Criminal Police Organization (INTERPOL) in 1997 to facilitate around-the-clock communication between the attending governments’ law enforcement agencies.

Among the first comprehensive studies of the UN’s activities relating to cybersecurity, conceptualizing two strands of discussion—politico-military and economic—and applying the international relations (IR) literature on norms in the analysis of the activities across UN bodies.

The latest of a number of influential guidelines by the OECD Working Party for Security and Privacy in the Digital Economy, which also maintains a useful archive on the institution’s instruments, reports, and events.

Regional Institutions and Cybersecurity

Regional institutions have become increasingly active in discussing the security of increasingly connected regional information infrastructures, combating cybercrime, and projecting regional positions globally. The North Atlantic Treaty Organization (NATO), in response to the distributed-denial-of-service attack against its member state Estonia in 2007, established the Cooperative Cyber Defence Centre of Excellence and subsequently declared that cyberattacks might lead to the activation of collective defense (NATO 2014). Fidler, et al. 2013 elaborates on this development. In the Asia-Pacific, the Association of Southeast Asian Nations (ASEAN) and the ASEAN Regional Forum, the Asia-Pacific Economic Cooperation forum, and the Shanghai Cooperation Organization (SCO) all have started cybersecurity initiatives to enhance intra- and cross-regional cooperation. Among these, the latter has been among the most prominent in the global debate on cybersecurity norms. Following an agreement to enhance cooperation on cybersecurity regionally (Shanghai Cooperation Organization 2009), SCO members subsequently submitted drafts for an international code of conduct for information security to the UN General Assembly in 2011 and 2015, reviewed in detail in McKune 2015. The Organization of American States (OAS) adopted an integral strategy to improve its member states’ cybersecurity policies and enhance regional cooperation already in 2004 (Organization of American States 2004), whose effectiveness is evaluated in a collaborative report with the Inter-American Development Bank (Organization of American States and Inter-American Development Bank 2016). The African Union (AU) also acknowledged the increasing cybersecurity risks in its member states and adopted a convention on cybersecurity in 2014 (African Union 2014). The European Union (EU) published a cyber security strategy (European Union 2013), the first comprehensive document outlining the institution’s vision and responsibilities of national and EU-level entities across the three pillars of information-and-network security, law enforcement, and defense. Importantly, it underlines that the member states remain primarily responsible for security cyberspace, and declares that member states could invoke the EU Solidarity Clause in case of a particularly severe cyberattack. Christou 2016 describes the negotiations that led to the strategy and explores future prospects. The Council of Europe has adopted the first international treaty on cybercrime (Council of Europe 2001).

Adopted in June 2014, the convention establishes a standard legal framework to reduce risks in electronic transactions, protect personal data, and address cyber insecurity and cybercrime at the national and AU levels. For a critical appraisal, including concerns about the convention’s human rights implications, see online.

On the basis of a conceptual framework of cybersecurity as resilience in cyberspace, Christou reviews in seven chapters the evolution of EU cybersecurity policymaking since 2005 or so and concludes that its structure is fragmented and the scope of responses to cyberthreats is limited when compared to leading actors such as the United States.

The authors (the former, an expert on international law in cyberspace; the latter two, NATO officials) highlight the challenges facing NATO member states with regard to principles, practices, and politics, and call upon the organization to adapt more rapidly before a major cybercrisis recurs.

In-depth analysis of the latest draft of the International Code of Conduct for Information Security submitted by SCO members, accompanied by an interactive, line-by-line, annotated comparison of the 2011 and 2015 versions.

After several years of internal discussions, NATO member states include a declaratory statement in the 2014 summit declaration that NATO’s Article 5 also covers cyberattacks and that its application will be decided on a case-by-case basis. Also states that NATO recognizes that international law applies to cyberspace.

Tasked the Secretariat of the OAS Inter-American Committee against Terrorism to support member states developing national cybersecurity strategies, establishing national computer security incident response teams (CSIRTs) and maintaining a network among these.

Agreement charting future cooperation on cybersecurity among all SCO member states and constituting the basis for the controversial International Code of Conduct for Information Security (available online), proposed by four SCO members in 2011 and submitted to the UN General Assembly as a revised version by six members in 2015 (available online).